Debian DLA-2596-1 : shadow security update

critical Nessus Plugin ID 147813

Synopsis

The remote Debian host is missing a security update.

Description

Several vulnerabilities were discovered in the shadow suite of login tools. An attacker may escalate privileges in specific configurations.

CVE-2017-20002

Shadow incorrectly lists pts/0 and pts/1 as physical terminals in /etc/securetty. This allows local users to login as password-less users even if they are connected by non-physical means such as SSH (hence bypassing PAM's nullok_secure configuration). This notably affects environments such as virtual machines automatically generated with a default blank root password, allowing all local users to escalate privileges. It should be noted however that /etc/securetty will be dropped in Debian 11/bullseye.

CVE-2017-12424

The newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts.

For Debian 9 stretch, these problems have been fixed in version 1:4.4-4.1+deb9u1.

We recommend that you upgrade your shadow packages.

For the detailed security status of shadow please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/shadow

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Upgrade the affected login, passwd, and uidmap packages.

See Also

https://lists.debian.org/debian-lts-announce/2021/03/msg00020.html

https://packages.debian.org/source/stretch/shadow

https://security-tracker.debian.org/tracker/source-package/shadow

Plugin Details

Severity: Critical

ID: 147813

File Name: debian_DLA-2596.nasl

Version: 1.5

Type: local

Agent: unix

Published: 3/16/2021

Updated: 1/12/2024

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2017-12424

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:login, p-cpe:/a:debian:debian_linux:passwd, p-cpe:/a:debian:debian_linux:uidmap, cpe:/o:debian:debian_linux:9.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/17/2021

Vulnerability Publication Date: 8/4/2017

Reference Information

CVE: CVE-2017-12424, CVE-2017-20002